Self-Synchronizing Stream Ciphers

A self-synchronizing or asynchronous stream cipher is one in which the keystream
is generated as a function of the key and a fixed number of previous ciphertext digits.
The encryption function of a self-synchronizing stream cipher can be described by the
Equations

ði = (ci-t; ci-t+1;... ci-1);

zi = g(ði; k);

ci = h(zi;mi);

where ð0 = (c-t; c-t+1; ... ; c-1) is the (non-secret) initial state, k is the key, g is the
function which produces the keystream zi, and h is the output function which combines
the keystream and plaintext mi to produce ciphertext ci. The most common presently-used self-synchronizing stream ciphers are based on block ciphers in 1-bit cipher feedback mode

(i) Self-Synchronization. Self-synchronization is possible if ciphertext digits are deleted
or inserted, because the decryption mapping depends only on a fixed number of preceding ciphertext characters. Such ciphers are capable of re-establishing proper decryption automatically after loss of synchronization, with only a fixed number of
plaintext characters unrecoverable.

(ii) Limited Error Propagation. Suppose that the state of a self-synchronization stream cipher depends on t previous ciphertext digits. If a single ciphertext digit is modified
(or even deleted or inserted) during transmission, then decryption of up to t subsequent
ciphertext digits may be incorrect, after which correct decryption resumes.

(iii) Active Attacks. Property (ii) implies that any modification of ciphertext digits by an
active adversary causes several other ciphertext digits to be decrypted incorrectly,
thereby improving (compared to synchronous stream ciphers) the likelihood of being
detected by the decryptor. As a consequence of property (i), it is more difficult (than
for synchronous stream ciphers) to detect insertion, deletion, or replay of ciphertext
digits by an active adversary. This illustrates that additional mechanisms must be
employed in order to provide data origin authentication and data integrity guarantees.

(iv) Diffusion of Plaintext Statistics. Since each plaintext digit influences the entire following ciphertext, the statistical properties of the plaintext are dispersed through the
ciphertext. Hence, self-synchronizing stream ciphers may bemore resistant than synchronous stream ciphers against attacks based on plaintext redundancy.